Tom Lawrence: Building a Tech Empire by Leading with Value

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
This is the art of network engineering, where
technology meets the human sideof IT.
Whether you're scaling networks, solving problems or shaping
your career, we've got theinsights, stories and tips to
keep you ahead in theever-evolving world of
networking.
Welcome to the Art of NetworkEngineering podcast.
My name is Andy Laptev and I amjoined in this episode by the

(00:20):
one, the man, the myth, thelegend, the one and only Jeffrey
Clark.
How you doing, jeff?

Speaker 2 (00:24):
No complaints.
It is a Friday when we'rerecording this, so that's a good
day.

Speaker 1 (00:29):
It is a good day.
I'm going down the seashoreshortly.
Tomorrow I'm going to go to thebeach.
You doing anything this weekend?

Speaker 2 (00:35):
I'm driving up to Maine.
We're going to spend a week upthere, enjoy a little cooler
temperatures.
It's not that bad.
It's like a six-hour drive,it's fine.

Speaker 1 (00:43):
Okay, You're reading my face.
I'm like, oh my God.
Well, that sounds like we havesome really fun weekend plans.
So today we are not talkingabout Maine or the beach.
Today's guest has secured morethan networks.
He's built a massive onlinecommunity teaching people about
IT, cybersecurity, ubiquity.
I mean, you name it.

(01:04):
If you want to learn somethingin IT, this is your guy.
From firewalls to YouTube fame,we're diving in with Tom
Lawrence of Lawrence Systems.
How you doing, Tom?

Speaker 3 (01:12):
Fantastic, and going to the beach does sound pretty
good.
I know it's not today's topic,but it does sound nice.
Where are you at?
You're Michigan, right?
Yeah, michigan.
So there's a couple lakesaround us, something great lakes
.
Some little ones, just somereal little ones there, just
some little ones.

Speaker 1 (01:27):
Do you guys go there Like we go to the beach, because
it's two hours from here?
Do you go to like the lakes togo hang out?

Speaker 3 (01:32):
Sometimes Right where I'm at, just south of Detroit
not so much.
If you came here you go.
There seems to be a lot offactories parked on where you
would normally see beaches.
I'm like that is correct, thisis not beachfront, this is
factory front property righthere.
It's interesting, you gotta goa little bit north, uh.
But then, yes, uh, you getnorth of detroit.
There's beaches and there'sthings to do south of detroit.

(01:54):
You're like this is justindustrial.
Yeah, they must have built somecars here or something I went.

Speaker 1 (01:59):
I went to a fun little side story.
I went to a wedding with mywife years back somewhere and I
want to say sheboygan, but Idon't know if that's accurate,
but anyway it was a good placewell, it's this beautiful place
on the water and like, but thehotel we were staying at.
I didn't realize when we walkedto a convenience store up the
road.
We shouldn't have been walkinghifter dark.

(02:20):
I don't exactly know where wewere, but we're walking down the
street and I noticed all the.
It's like 5 30 pm, the sun'sjust starting to like set, but
all the shops are closed.
The cages are down.
It's this four lane road andI'm like where are all the
people?

Speaker 3 (02:33):
you were not in chevrogan, you were in detroit,
yeah I think so in detroit inthat case?

Speaker 1 (02:37):
and then I walk into the pharmacy and I I'm like,
listen, I don't want to soundfunny, but but is it okay that
I'm out walking around?
She's like honey, I would gethome as quick as you can and
don't stop anywhere.
I should know better.
I was raised by cops, butanyway, sheboygan was beautiful.
So if you recognize Tom's voiceor see his face, you should.
The way I came upon you, tom,this is kind of like such cool,

(03:02):
what would you call it, notkismet?
So I had someone give me aubiquity system.
They gave me a udm pro and anap and like uh, thank you.
Uh, mike, you know who you areout there.
And I tried to install and Ididn't really know what I was
doing.
I mean, I know it's supposed tobe an intuitive ui and it's
easy and all.
But I'm like what is this thing?
Let me check, this isn't acisco or juniper cli.
So I'm like I'm not used to agooey, right, I'm an old school.

(03:23):
Give me a cli, let me do athing, right.
So I I started youtubing andgoogling, which I do like how do
I do a thing?
And you kept popping up.
And not only did you pop up,but like stellar content well
produced, super concise, superlike.
You got right into what Ineeded immediately, which is it
can be a rarity when you'relooking for good content like

(03:45):
you got to listen to the guy for15 minutes keep saying he's
going to get to the thing, soyour content is just stellar.
I mean 375,000 followers onYouTube for context.
For a comparison, we've beendoing this podcast for five
years.
I think we're up to 7,700YouTube subscribers, so dude

(04:05):
kudos to you.
I appreciate it as a contentcreator.
That's amazing.
So I'm hoping what we couldtalk about is like how you you
know what you've done right.
You're a very successfulcontent creator and we talk to a
lot of content creators throughthis show.
You, I guess, own and run anMSP, so we can kind of get into
that.
You know what's an MSP and you,I guess, own and run an MSP, so
we can kind of get into that.

(04:25):
You know what's an MSP and youmentioned right before we
started recording it's a $600billion business that a lot of
people don't even know what itis, because I even said that,
like I know, I should know whatan MSP is.
So maybe start there, like whatdo you do as your day job?
What is an MSP and what do youknow about tech?
I mean, how do you knoweverything?
Because your YouTube channelshows that you know.
If you have a question, TomLawrence knows the answer.

Speaker 3 (04:47):
Generalists and you get specialists and I'm a little
bit more of a generalist andthat just comes from the fact
that my tech career starts.
My first tech job is like 1996.
I start my company in 2003.
Somewhere in between I spent afew years doing some corporate
work.
I don't know there's alove-hate with corporate.
It paid really well.
It also was a bureaucracy,which is also what we were kind

(05:09):
of joking about just before theshow started.
Like yeah, working in corporatehas got its pluses and minuses.
But bringing it up tofast-forwarding a little bit, I
kind of loved public speaking.
I've always been an open-sourcenerd, linux nerd.
I was a Linux sysadmin, a mailserver admin, so I always had
like one foot in the open sourceworld.
But brought me to the opensource community.
That brought me into publicspeaking and kind of fast

(05:32):
forward to.
Where this went to YouTube wassomeone says hey, I can't make
it to your talk, you're going tobe doing an open source
firewalls, can you throw that onYouTube?
I was like sure, of course Ican throw that on YouTube.
I'm a technical person.
There's a way to record this.
It turns out.
A lot of people watched some ofmy early videos where I'm just
going through slides.
The same slide deck that Iwould use at the conference to

(05:54):
do your talk would become theslide deck I used.
It's not really well recordedbut it also got thousands of
views.
I'm like well, that's more thanthe person who asked me to put
this online.
That seems to like this, and Ithrew spaghetti at the wall for
a little while.
I had a retail store at thetime so I started saying maybe
I'll teach people how to repairlaptops and other things I do.

(06:14):
As I always said, theconsulting side of my company,
the MSP side, didn't start untillike 2015.
Actually, somewhere in betweenI had an electronics store.
I decided that was a good ideato do electronics repair, but
that actually died out becauseelectronics are not worth
repairing anymore.
So that was 2005 to 2009,.
Tom.

Speaker 1 (06:33):
Wow yeah, so I've had a variety.
Oh my.

Speaker 3 (06:37):
Yeah, just a little variety of things.
It's like this seems like a funidea and I bought an existing
electronics company because Ineeded a place for my retail
computer idea.
That was called PC Pickup andthe idea was people don't know
how to unplug computers, so Ihired some people that would run
around picking them up forpeople and delivering them as
part of our service, which thengot easier because then people
were just having us pick uplaptops.
But then, yeah, you know,remember the market around 2008,

(06:59):
2009?
Yeah, we decided to get rid ofa few things.

Speaker 1 (07:04):
So you're an entrepreneurial spirit, huh,
you've been getting after it andstarting businesses for 20
years.

Speaker 3 (07:08):
Sometimes yeah, I only do it because after working
in corporate I was so angrybecause I was on top of the
world.
Corporate went sideways.
They made some really poorchoices that we'll just say
ended in two years of IRSdepositions and me learning a
little bit about what CaymanIsland accounts are, and they
learned a whole lot about whatCayman accounts are not.
I was mad because people aboveme took a good thing and tried

(07:33):
to break it and that broke thebusiness.
So I was like I shouldn't workfor someone because that's dumb.
Turns out great idea in theory.
In my head it turns out going Iknow how to fix computers or I
know how to solve your networkproblems and fix your business.
They don't just call you out ofthe blue for that.
Um, turns out marketing is areal thing.

(07:53):
So I had to learn what ismarketing and what is not
marketing and how do you get aclient, uh.
So yeah, after I figured thatout and kind of got processes
around, it made me a little bitmore of an entrepreneur.
So somehow I've been unemployednow since 2003 without having a
real job so how did you when?

Speaker 1 (08:11):
so this is going back like, let's say, 2003.
We're in 2025 now, like I don'teven think social media existed
yet.
How were you marketing yourselfthen?
Was it like white pages, yellowpages, like newspaper ads?

Speaker 3 (08:23):
yeah, white pages, yellow yellow pages uh, you
would buy flyers.
Um, the other ways you would doit was chamber of commerce
going to any events and thatalso kind of went into me
learning I could speak at theseevents and, uh, I had a whole
long list of talks I would givethat were not necessarily
technical.
This actually came up with afun discussion with some friends

(08:45):
today.
We were talking about doingtech adjacent talks to get in
front of customers as asuggestion, because I can tell
you, youtube is our current, asit stands, the 2025 primary
inbound lead generation.
But I can't just tell everyoneto start a YouTube channel.
It's a long game, it's a hardgame and I'm more than happy to
help anyone who reaches out tome to take them down that path.
But I always warn them this isreally a lot of work.

(09:06):
But things you can do istech-adjacent talks, and I did a
lot of tech-adjacent talks.
For example, I gave lots oftalks on social media.
Turns out, chamber of Commercewould love you to talk about
social media and teach a bunchof business owners on it and you
would just give them the.
I mean you don't have to goin-depth up this.
This is what facebook pages arebecause I was doing this in
like 2010.
You know the most basic,rudimentary things.

(09:27):
You could fill a room full ofpeople.
You're like, oh, you know a lotabout that stuff.
Oh yeah, I'm an it person, Ican take care of your it needs.
So you now got a you know,opener conversation started, a
reason for them to engage andtalk with you, so those kind of
talks led to that.
I also did technical talks thatwere at the level that people
could have some takeaways andunderstand.
I've done some AI talks as thatcame out.
So I still do some of thepublic speaking events that are

(09:51):
not the deep in the weeds that Ido for YouTube, but for
audiences that are like that.
That's still a good way to getbusiness.
Is some of the public speakingstuff.

Speaker 1 (10:00):
How did you get started in tech?
I don't know if you're acomputer science guy, so you
sound like me, like a hardwareguy.
You like tactile stuff.
I'm gonna work on laptops.
I'm gonna upgrade your disc oryour ram like what.
What got you started?

Speaker 3 (10:13):
though kind of serendipity.
Um, I did not.
I grew up on a small farm.
Money was not really what wehad, so there wasn't the access
in the 80s when I was growing up, so I was born in the 70s, grew
access in the 80s when I wasgrowing up, so I was born in the
70s, grew up in the 80s.
There's no computer access.
My dad did not use technology,neither did my grandpa that I
live with.
So what happened was there was aretraining program through
General Motors.
My dad was a factory worker.

(10:34):
Actually, I am the only personin my even extended family that
wasn't just a factory worker.
That's what you do here inDetroit.
If you didn't know.
If you're in the Detroit area,you work at one of the many
factories that are scatteredaround here.
But they had a retrainingprogram and it was a gift
certificate, essentially.
That they said you can go buy acomputer from Radio Shack.
That's the only thing you canbuy with this.
And so my dad's like I don'tknow.

(10:55):
My son seems to take everythingapart.
Maybe one day he'll learn mostmad about me taking apart.
I used to help my grandpa fixall the tractors and mechanical
moving parts.
Oh, that's something I justwill play with forever.
But the computer I was hookedwith the TRS-80.

(11:16):
It was just mind blown.
I can do so much I got everyprogramming book.
I could, and, man, I just lovedit.
So I got out of high school andjumped right into computers.
I just went and found anywhere.
I went everywhere and banged onany door if it said computer in
your name in the yellow pages.
Because that's what you did.
Then I just banged on everydoor until someone said I'll

(11:37):
give you a chance and hire you.
And it's kind of just escalatedfrom there.
So my path didn't there's's.
No, it's like high school knockon doors, just find a job where
someone will let me play withtechnology.

Speaker 1 (11:46):
I didn't care if they paid me, I was just like this
is what I want to do I wasworking pizza jobs at night just
let me play with computersduring the day used to like
taking stuff apart as a kid didyou ever hurt yourself oh yeah,
I, I mean, I electrocuted thehell out of myself so quick,
quick, quick aside.
I share that passion of takingthings apart and trying to
figure out how they work withyou.

(12:06):
My stepdad had a reel-to-reel Idon't know if you remember that
, but it was a magnetic tapereel-to-reel and his broke.
So I took it upstairs to myroom and I opened up the back
and I started tinkering.
I left it plugged in because Ithought I don't know whatever.
What were you thinking then?
So I'm cross-legged on thefloor and I have it on my legs
like I'm a table.

(12:27):
And the last thing I remember Iremember the fuses go bad.
I remember hearing that I waslike seventh grade however old
you are.
Yeah, I grabbed the fuse.
That's the last thing Iremember.
I don't know what happened,yeah, but when I came to, the
reel-to-reel was on the otherside of the floor or on the
other side of my bedroom.

(12:47):
I'm on the floor and it feltlike god punched my kidneys,
like I don't know what happenedin my back.
But yeah, that was the lasttime.
That's how I learned aboutelectricity.
So you're gonna get hurt.

Speaker 3 (12:55):
taking things apart I have taken the tv apart and
that's where you learn aboutwhat a flyback is, uh-huh and
what's a flyback.

Speaker 1 (13:01):
Is that something that holds voltage?

Speaker 3 (13:03):
It's the 30,000 volt inverter that you will that
connects to the back of a tubeTV of my era.
They don't exist anymore.
You know of the air when I wasgrowing up and you definitely
are lucky if you fly back whenyou touch them, cause the other
option that happens is if yougrab them turns out you can't
let go.
That hurts a lot more.

Speaker 1 (13:25):
Did you?
Get zapped by one of those.
Oh, yeah, yeah.
Yeah, I'm guessing you gotthrown back.

Speaker 3 (13:29):
Oh, yeah, yeah, you come to going where.
What was I doing a few minutesago?

Speaker 2 (13:34):
oh wow, well, you know it's interesting I was
gonna say is is I'm listening toyou talk and um, yeah and andy,
as he said, we, we interviewother people who are content
creators, and obviously a lot ofpeople in the tech field, and
it does seem like there's a.
There's a real talk and, um andandy, as he said, we, we
interview other people who arecontent creators, uh, and
obviously a lot of people in thetech field, and it does seem
like there's a.
There's a real commonality that, uh, anyone who's been in this
field for a while or really hasmade a successful career of it

(13:55):
is, it's one.
It's just about a lot ofcuriosity.
A lot of us are tinkerers by,uh, really as a passion, not
just as a job, but as somethingthat we would do on our own.
I remember when I went to workin a data center for SunGuard
for the first time, walking inand being like I would have paid
you to let me come and playwith all of these toys.
So I noticed that with you, thesame thing seems to be true of

(14:18):
content creators, not justtinkering, but they really seem
to be very tenacious people,people who are willing to put
themselves out there, aren'tafraid to, as me and my boss,
doug, call it fail loudly.
You know go out there and bewilling to be the.
You know the public failure andyou know figure it out in front
of people.
So, as I've seen your content,that's something that I've

(14:40):
watched on there.
The other thing that I did findinteresting I was curious about
was you said that you use youronline content as lead
generation, but your videosdon't feel like ads at all.
But that's, that's great,that's brilliant marketing.

Speaker 3 (14:54):
Yeah, the, it's a very if it was a deliberate
strategy to not be shilly andsalesy, I actually, because of
an aggravation I had had I don'tever want to give more
popularity when I call peopleout for calling them out,
because it's sometimes whatthey're looking for.
But someone had said we'll justcall them self-titled creator,

(15:16):
coach, buy my course, I'll teachyou how to be a creator, blah,
blah, blah, whatever.
But they said something thatreally angered me and it was
that you don't want to give thefull solution so you can pitch
yourself as the solution andthey should buy from you.
And I'm like.
I so disagree with that.
If you see and I posted onlinkedin the other day it says
lead with value.
It's a video I did.
It's a short video, about aminute long, and I always do

(15:36):
that and it's amazing how manypeople still it is.
This is not something new.
It's not something I invented.
There's a lot of books aboutthis that go back forever, about
if you lead with value, peoplewill go oh, I wonder what that
person does.
They really taught me something.
Let me explore them more.
They're interesting people.
So if you do somethinginteresting, you help someone.
People remember who helped youand I think I said that in the

(15:59):
video.
People remember people whohelped them, not people who
threw them in a sales funnel.

Speaker 2 (16:04):
Yep, that is a hundred percent correct.
Yeah, like I said, I find it.
I did find it reallyinteresting as I'm watching the
videos and I because I had noidea that that was the lead
generating source for you untilyou said it there.
But it makes sense because,like you said, if you show value
in one thing, nobody ever needsjust one tech problem solved.

Speaker 3 (16:22):
Right and I watch, as probably all of us do.
Let's say, something broke onour car, our vehicle, whatever
that might be.
But you know, a perfect example?
Um was my friend brett.
He had to be somewhere.
Uh, then he's like, oh, mywater pump's leaking and I'm
supposed to be.
I gotta get down to texas.
He's going on a road trip andhe's like there's no places to
it.
I'm like, all right, I got abackground in mechanics.
I had a full mechanics style.

(16:43):
I used to build hot rods.
There was a time in my lifewhen that was a fun thing.
But I said I can swap a waterpump.
I've done it on my old Chevy.
Well, good news is YouTube.
The video was 30 minutes long.
I thought that seemed long fora water pump video.
Turns out, everything in thattruck has to come apart before
you can get to, saved me fromeven turning the first bolt
because I said this is not a meproject and this is not a today.

(17:05):
This is not my old Chevy.
Apparently, dodge has decidedto put everything in a way, but
someone on YouTube took the timeto make those videos.
And that is sometimes the casewhen I make a video where, hey,
I have a 35 minute video on howto set this up.
And someone goes yeah, I am notgoing to twiddle all those
knobs and click all those thingsand type all those commands.
I'll just ask this guy whoseems to know all those commands

(17:27):
and types all those things.
So it's not that I have somedirect intention not to show you
.
The video is feature complete.
It is start here, end here,thing work.
But if you decide that youdon't want to do all those
things and there's this weirdconcept and this is the thing
that I like to really nail hometo people is they think well, if

(17:49):
you show them how to do it,they won't pay you how to do it.
I'm like the person who isdetermined to do that is happy
to find your content.
If not, they'll find some otherway, they'll find some write-up
, they're going to do it anyways.
They were never going to payyou, end of story.
So you're only benefiting butnever hurting you from it.
You've now given theminstruction.
There are those who will neverpay me and I'm perfectly fine
with those people watching.
I have somehow helped them.
They figured it out.

(18:10):
They never planned on hiring me, cool, whatever.
There's always enoughpercentage of people who go.
I'm just not clicking that.

Speaker 1 (18:25):
How do you determine who to charge and who not to,
and what I mean?

Speaker 3 (18:27):
I'm looking at your YouTube, youtube video and you
have a wall fishing tools andhow-to video with 1.2 million.

Speaker 1 (18:30):
yes, I need to do a new one of those.
Well, listen, I have spent.
I spent five years as a as aisp cable guy, fishing stuff,
and it never occurred to me thatif I made a video about it I
would get a million views.
But I guess what I'm where I'mgetting at is I've had two or
three like friends and likeextended family members over the
years that have asked me like,hey, I just moved in and I wind
up spending a day or two pullingethernet throughout their

(18:51):
entire house.
And I guess because up front Ididn't say, hey, listen, like I
do this for a living, you shouldpay me.
We get to the end and they'relike, oh, thanks, that's great,
and and I don't get paid.
Like I just did it six monthsago with a friend.
I just we were talking it solike do you do freebies for
friends and family?
And then how far does that go?
Is it cousins?

Speaker 3 (19:10):
like you charge everybody I charge everybody, uh
, the only that's what youshould do.
Yeah, I have um me and my wife.
Between us we have six, fivekids and I don't charge them.
They get whatever they needdone is done.
I just take care of things forthem, and I have one sibling and
I'll take care of them and mywife's siblings, but that's it.
There is no more.

Speaker 1 (19:30):
Don't do things for free, because I'm starting to
get frustrated that we'refriends and we're hanging out
and they need help and I'm likeI'll come help you, I like you,
and then at the end I mean Iguess that's fine.

Speaker 3 (19:44):
Yeah, friends, anyway , I've always been clear on
where those lines are.
It's just like, especially nowthat I'm pushing 50, I'm like
don't call me if you got to move.
I'm old, my back's going tohurt at the end of the day.
I'm not 20 anymore.
I can't help you move.
Call a moving company.

Speaker 1 (20:00):
It's really amazing Some of these videos like 1.2
million, like doing PF sense andyou you mentioned earlier.
So there's a couple of things Iwanted to hit on and, jeff,
jump in whenever you said likeyou got into open source and
Linux early on.
Why?
I guess because I'm now gettinginto that again.
We're around the same age andI'm just now coming around to
the open source Linux and seeingthe value.

Speaker 3 (20:30):
Did you get into that early?
Yeah, I mean early in.
I just was fascinated by Linux.
So you know we all use Windows.
It's the 90s.
We're loading it on floppy diskWindows 3.1 and all that fun
stuff.
Then comes Red Hat was thefirst one.
Slackware was probably aroundthe same time, but Red Hat's the
one that I had access to, the.
I think it was four or fivefloppy disks and I hadn't tried
to get my X server running andit was really difficult.
But absolutely fascinating to meit was just something about

(20:51):
this free and open source andcommunity of developers and
people I met and I'm closeenough to University of Michigan
and we had the WLUG, which Wactually stood for Washtenaw,
the county that the Ann Arborschool is in.
The WLUG was an awesome placeto go hang out with all these
cool engineers and nerds andpeople.

(21:13):
I didn't have a collegeexperience to lean back on, so
cool.
The academia place supported us.
Let us use the room for free.
We used to do install festsonce a month where everyone just
bring their computer in and weteach each other how to install
Linux and it was just like anaddiction.
It was like I can build my ownkernel, I can modify what's in

(21:34):
this and fail at it miserably.
Every time I tweak something Idon't know, see, but it was
still so much fun and so that'swhat led me into it.
Then, once I got into thecorporate world, which my first
corporate job was in 1998,that's where I started getting
into that.
Then I ended up being a mailserver admin and at the time I
was not a fan of MicrosoftExchange and it was.
I don't even know was Exchangearound exactly then.

(21:55):
I think it was in the earlydays of Exchange.
But I was all in on SendMail.
I was really good at it.
I used to write proc mailrecipes and do spam filtering
and all that fun stuff.
And once again I leaned on myLinux community to be able to be
really good at building thesesystems and managing them.
As the company I was workingfor scaled up, my budget was
really huge.

(22:15):
I mean when I was in corporateby the time I was 2001, I'm in
my early 20s my budget was $1.4million that I had control over
to do what I want with to makesure the company did really well
.
So and this was just my, mynerd stuff.
From then it was solved all myproblems.
I developed stuff in it.
Uh, it was just yeah yeah, I'venever lost that.

Speaker 1 (22:34):
I guess there's limits to like.
So I'll dive into areel-to-reel at I don't know 11
years old and electrocute myself.
But the first time I saw linuxI was like whoa it just it
seemed inaccessible to me.
Where, like you, jumped rightin and you're in the kernel, do
you?
Do you know some programminglanguages, I'm assuming?
No, I'm terrible at all of them.

Speaker 3 (22:52):
Uh, so I can muddle my way through things.
I can usually look at somethingthat's built Chad he concepts
like the only the last language.
I really did stuff in was turbo,pascal and basic, so like
really old languages, yeah.
But once you understandgenerally languages, you can
then go through and understandother structures, the languages.

(23:15):
So I understand all theconcepts.
Uh, and I used to on my staffwhen I worked in corporate.
We're developers, so I will sitover the shoulder.
I'd understand the conceptswe're doing.
Maybe maybe not some of thenuance, but that allowed me the
understanding of the structureswas enough to be able to be
effective with it, to understandwhat needed to be done, what
those limitations were and howto work around them.

Speaker 2 (23:35):
That's me too, tom.
I've been more on sysadmin side.
I'm with you, I can read it, Ican chat to your team man, we
get into some greatconversations.
I mean I'm building stuff inNNN right now, so what's your
latest passion stuff?
I mean, I've seen some of thestuff on your webpage or on the

(23:57):
YouTube channel.
There's a lot of it aboutubiquity lately.
But for you personally, what'sthe tech you're really into?
We talked LLMs, ai, earlier.
Is that something that you'rebig into?

Speaker 3 (24:04):
Oh yeah, I'm getting.
We talked LLMs AI earlier.
Is that something that you'rebig into?
Oh yeah, I'm getting more intoLLMs self-hosted ones, because I
think that's amazing.
I'm working on a talk Open WebUI yeah, Yep.

Speaker 1 (24:13):
Open Web UI is just outstanding.
I don't know what any of thismeans.
What's a self-hosted LLM?

Speaker 3 (24:22):
You can self-host these.
You can grab the differentlanguage models, run them on
your graphics card and then it'sself-hosted.
I was showing my wife because Iwanted a teaser with some of it
.
I was showing her and she'slike you're going to get on the
list for asking that.
I'm like ah, it's self-hosted.
So I forgot.

Speaker 1 (24:39):
It's my own element.
Don Don't you have to trainmodels and all that Like how is
that?
Where's the intelligence comingfrom?

Speaker 3 (24:46):
Well, you run.
So all these companies offerthese models.
So they've done the hard part,the training part.
They've stuck all the data theyinserted, wikipedia and
wherever else they pilfered alltheir data from.
They build these models andthen some of them are built more
specific, like some of the code.
Ones are really good andthey're handy to have.
And you may want a morespecific model because you want
one that can run within theparameters of what hardware you

(25:09):
have.
I don't have the same, you know, super expensive.
Well, actually, I have a coupleof them now, but generally
people don't have access to someof the really expensive high
end cards.
Therefore, you want a modelthat it's going to lose a little
bit of context, but it'll fitwithin there.
So a little bit of context, butit'll fit within there.
So that helps a lot.
Ollama is one of the easiestways to get started and, by the
way, not something you need alot of command line for.
I'm talking like copy paste acouple commands.

Speaker 1 (25:34):
So do you install the model, like the pre-trained
model, locally, and then yourGPU will do the calculations for
you as you talk to it.
Okay, is it huge?
Is it like installing theinternet routing cable?
Is?

Speaker 3 (25:41):
it like installing the internet routing cable 20
gigs, 23 gigs.

Speaker 1 (25:44):
It depends.
I mean that's reasonable forwhat?
You're doing, oh yeahreasonable for a download.

Speaker 3 (25:47):
It's kind of.
The thing that fascinates me isthat it's just not that big.
It's not as big as you mightthink it is to be able to have
this corpus of knowledge becauseof the way the training works
on there.
I'm a big self-hosted advocate,and the internet shouldn't be
four companies with four bigwebsites with screenshots of the
other three on them.
That's not how the internet wasmade to work, but that's

(26:08):
usually what we have right now.

Speaker 1 (26:11):
You just brought me into that question.
So what's the advantage ofself-hosting your LLM?
Because I guess I'm payingOpenAI $20 a month, I guess.
So self-host you're not right.

Speaker 3 (26:23):
Right With self-host you're not, and I do pay for the
.
There's things that I can dobetter with, especially,
chatgpt5 just came out and so Iwas playing with it this morning
.
There's things you can do thatare at a different scale.
That operates for you know yourlarge language models that
you're paying subscriptions for.
They have more access to powerand right now I tell people take
advantage of it.
They're losing money on everytime you click on this thing.

(26:45):
It's a deal at 20 bucks a month.
It's a deal at a couple hundreddollars a month to use Claude
Code or any of these other ones.
They are really.
It's amazing how fast they are,because I don't get that same
level of performance locally,but what I do get locally is
absolute privacy.
There's no concern, and if youdidn't see in the news, there's
been a bunch of privacy leaksand concerns with you can now uh

(27:05):
, 135 000 were found on archiveor messages and people's
conversations, and it's notideal.
Uh, facebook had a big oopswith their system.
Uh, accidentally startedsurfacing people's usernames
along with their conversationsthey had, which, it turns out,
people had some really personalconversations with their uh,
which is unfortunate.
But with self-hosted you getmore autonomy and it kind of

(27:27):
leads to the hacker ethos I havewhere I like to own it all
myself.
You own it, you pwn it, I getto do it.
And if it all went away today,my data center on the other side
of this wall I'm sitting hereat still.
As long as I can figure out howto get electricity to it, I can
still keep using it.

Speaker 1 (27:50):
Yep, how to get electricity to it.
I can still keep using it.
Yep, this might be a dumbquestion to ask, but when I hear
so, I I understand that youdon't want your data, like
certain data, to get you knowinto the models.
Yeah, and let's say the thefacebook messages is an example.
I understand why that's bad,but how would andy, standing at
his desk in chat gpt access anyof that like?
How would I even find that inthe model?
Like just because the data goesthere?
What, what?
Like?
I'm trying to understand the,the attack vector, and maybe

(28:11):
this is a segue into likecybersecurity.
But how would I ever find thatdata the chat GPT ingested and
use for my own nefariouspurposes?
Cause I don't know how to findit.

Speaker 3 (28:21):
I've looked there's a lot of times and I think the
Samsung was one of the bigcompanies that had an incident,
maybe as a year or two ago, whenhe realized that the people
were using it at Work to Samsungkind of indiscriminately
putting in a lot of the companysecrets and they came surfacing
elsewhere in other people'schats.
Now it's not easy to shake chatGPT and get out of it what you

(28:42):
want, but one of the things thatyou big picture consideration
here With ChatGPT or any of theLLMs, you think about control
planes versus data planes.
When we're talking aboutnetworking, we have a control
plane where I can make changesto the system and a data plane
where we transport the data.
In the early days of the phonesystem this was one piece, hence
the 2600 whistle we used toblow and get free phone calls
and all the phone freaking thatwent on through the 70s and 80s

(29:06):
and things around that.
Well, we're kind of back tothat again with the LLMs,
because now we have the controlplane and data plane being the
same thing, all the data is alsothe same place as all the
controls.
So, as I pound away at thesecontrols, this is why we're
seeing all these hacks with eventhe latest MCP stuff.
I don't know if you've seenChatGP announced this morning by

(29:26):
the afternoon.
There's a guy on LinkedIn.
It announced this morning bythe afternoon.
There's a guy on LinkedIn.
It was awesome.
He already jailbroke it.
He's already found a way to getthat Defcon.
Yesterday someone or Black Hatyesterday they kicked off found
a way around Copilot to getaccess inside of Microsoft, like
escape the model and get insidewhere the model runs.
So there's a lot of differentways you can kind of coax things

(29:49):
out of it and a lot of it is.
There's no good sanitization.
It's the early days of SQL.
We just well, let's expose SQL.
What could possibly go wrong?
Oh, sql injection, that's whatwent wrong and that was just
like for years it took us beforewe put good security controls
and engineering around it.
And that's kind of those earlydays.
If you really start looking atpeople who are jailbreaking and
getting around the securitymitigations they have, we're

(30:12):
still in the early days of LLMsand there's definitely people
able to shake a lot out of them.
So I'm always careful Anything Ido in a public.
One worst thing you'd get isall the stupid puns I make,
sometimes using chat GPT, ifsomeone were to steal my account
, it would be someone would go.
This is really what you use itfor.
To steal my account, it wouldbe someone go.
This is really what you use itfor.
I'm like yeah, yeah, it doesmake a lot of.

(30:33):
You're like you send all thesedumb images to your friends
every day.
It just makes the most absurdthings.
I made my friend look likezoidberg and send it to him.
He's just like why.

Speaker 1 (30:41):
I'm like because the hacking stuff is fascinating to
me and I wouldn't even know,like the entry point, like
somebody we had somebody onwho's talking about, like hack
the box, like so and how, like Iwould have no idea.
I mean, jeff works for asecurity company and I know
you've, you've mentioned to mebefore, like cyber security is a
big thing, oh yeah, like it's.
How, how can I learn?

(31:03):
Let's say, I want to shake anllm, like or however however you
put it.
I mean mean, so what iscybersecurity?
Because I know that that's oneof your specialties and it's
something I know little tonothing about.
So can we just define at a highlevel, like, what is
cybersecurity?
What does it do for a company?
And then, what could anefarious person do to try to
get, like you said, shake out anLLM?
Or maybe I want to get intoTom's data center and find some

(31:25):
cool stuff that he said publicly.

Speaker 3 (31:27):
I was thinking about.
Sometimes I feel cybersecurityis just me stating the obvious a
lot use multi-factorauthentication and quit using
the same password everywhere.
But cybersecurity overall iscalling yourself a cybersecurity
practitioner.
We kind of blend it in with theMSP service because we say you
can't be an MSP, I can't befixing your network without
thinking about security.
I can't be updating or managingyour servers without thinking

(31:49):
about security.
So, as a practitioner, we lookat it as frameworks and aligning
to them.
So we're going to say, allright, we're a practitioner,
we're going to align you tothese frameworks, we're going to
follow these practices, we'regoing to stop lateral movement
or mitigate it as best we can.
We're going to say we're goingto put MFA everywhere, we're
going to lock down your networks, we're going to create
segmentation, we're going tomake sure these servers have a

(32:11):
process, that which we not onlypatch them, that we validate and
continuous validation of thatthe patches are loaded and
that's protocols are beingfollowed.
So it's kind of this allencompassing tooling around.
It's not just installing theserver.
It's like all right, what arethe best practices?
I always complain a lot and ranta bit about this, where I think
we spend too much time aspractitioners fighting Microsoft

(32:31):
.
It is like all of us areexcited because Microsoft
reduced the time that sessiontokens lived a little bit less
and we're like great but stillnot awesome.
Like you did your move in it,but not where we want.
My friend Kelvin he's aMicrosoft MVP, kelvin Telgar
he's known online as CyberDrain,but he's got a great talk he's

(32:52):
given a few times called Don'tTrust the Defaults and it's all
about how to secure your Azureenvironments and it's kind of a
weird thing to think about andwe juxtapose this a lot with the
car industry being here inDetroit.
My friend Matt Lee's done areally good talk on this, but I
want to title and do a talk withhim.
We want to call it unsafe atany click because, if anyone
knows automotive history, therewas a book release called unsafe

(33:12):
at any speed.
It highlighted the problemswith the automotive industry.
If people keep getting injuredin cars, the automotive company
said look, man, there's nothingwe can do about this.
We cannot make these thingssafer, it would just bankrupt us
.
Now safety belts are in everycar.
Your airbags are on by default.
You ever had to turn yourairbag on Matter of fact, it's
really hard to turn an airbagoff.
There's several steps you'dhave to go through, but we're

(33:35):
the opposite side in thesoftware industry right now.
Unfortunately, it's not justinstall a server.
There's a hardening guide byinsert name of company and you
kind of think that's a weirdthing to do.
We don't need a hardening guidefor our card.
Airbags are turned on.
The safety belt thing willdrive me bananas if I don't
click it.
But I can plug in a server or Ican set up your Azure tenant
and look how long it took to goback a number of years with

(33:57):
Amazon.
How many times were we left thebucket open?
Why?
Well, that's why Amazon set upevery bucket until you took the
time to do it properly.
So a lot of cybersecurity isunfortunately checking those
boxes, putting the things inthat the software vendors have
not, because they have a EULAthat will absolve them from any
wrongdoing.
If something happens, they justget to say whoops.

(34:17):
But here on page 27 of the EULA, our lawyer said we are not
responsible for whatever it isthat happened.
So cybersecurity is that.
I know it's kind of a longwinded answer.

Speaker 1 (34:27):
No, no, it's really helpful, like I thought of so
many things as you were talking.
So cybersecurity is that I knowit's an older code and I know

(34:50):
the vuln and then I can get inand start doing things.
And then you said lateralmovement, which means once
you're in, you move around thesystem.
So you got honeypots.
I guess I've heard of you wanta micro segment, like you said,
with vlan, so if you're in oneplace you don't go to other
places.
So it's, I'm fascinated by thatworld and it's just because of
my career.
It's nothing I got into.
I worked at these hugecompanies with like cyber people

(35:10):
, right.

Speaker 3 (35:10):
They have a department that just makes sure
you're following.
Yeah, I didn't want to let youdeviate from them.

Speaker 1 (35:14):
Right, but it's so fascinating to me.
And then I've been tracking inthe news a lot of the LLM cyber
type stuff, meaning like I thinkReplit just got hit the other
day.
I can't follow.
Like I read it and then I'mlike, what are they saying?
But something happened inReplit where, like it wiped out
2,000 customers because of someopen code AI thing that somebody

(35:36):
hacked.
Then there was something elsewith Amazon Q, but it seems like
the new hack seems to besomehow leveraging the LLM
built-in functionality and devsare like somehow using it to you
know, destroy functionality.
And devs are like, somehowusing it to you know, destroy
everything.
Like, hey, the next commit youget destroy all the accounts.
And then they find again Idon't know cyber, but they're
finding ways in through theseweird llm functionality.

(35:58):
Like have you tracked any ofthat?

Speaker 3 (36:00):
like the amazon q thing, the repla thing, yeah you
know one of the things that'sreally handy if you want to
understand and I wish, and justbeing my cyber security friends
love this topic um, ntsb, if aplane has an incident, we have
the national transportationsafety board and all of us wait
because it's a slow, methodicalprocess, but when it's done
there's a very detailedexplanation in the software

(36:21):
industry on your hand.
You know, if you make theequivalent joke here, it would
be like the plane crashed whenit did the thing.
Can we just try doing a thing acouple more times to see how
many times it crashes until weget a baseline of it?
I mean, it works so muchdifferent in software but we
don't have enough requirementsfor it.
But there are some and thebreakdown is referred to as a
differ report.
That's the NTSB equivalent inthe software world, where what

(36:43):
happened and there is a sitecalled the differ report and
they publish anonymized in a wayof we don't know what company
it was, but that's not relevantanyways.
It's a great breakdown ofwalking you through initial
access.
How did they first find theirway in?
What did they do when they havethat information?
How did they pivot from thatinformation to the next step?
And then how did theyeventually get what their goal

(37:05):
was?
Was it a ransomware attack?
It was espionage, it was takingsomething.
So different reports are kindof your path to breakdowns that
are in very relatively plainEnglish because they're not
meant for only cybersecuritypeople, they're meant for people
to read and go in and along.
But these are the detailedbreakdowns of everything that
occurred to lead up to thisevent and those are very helpful

(37:25):
because you can look alongthere as a practitioner and go
what would have stopped it alongthe way?
So let's walk through adifferent report of oh, they got
here but it wasn't stoppedbecause they didn't have this
mitigation, they didn't have acompensating control that would
have stopped this.
So you kind of rattle throughthere and figure out what landed
there and then work itbackwards to go what tooling do
I need?
Or what notices do I need?
To get to the point where Idon't have those, because we had

(37:48):
an incident that I covered andit was with my company, not us.
Well, one of our clients,specifically so my company
client we serve incidenthappened.
We got it, but they did get toa point.
But that's why I tell peoplehere's what happened and here's
the point where they got.
But here's where we got themand this is how we mitigate it
in the future.
It where they got, but here'swhere we caught them and this is

(38:11):
how we mitigate it in thefuture.
It was a flaw in a commercialpiece of software that's used in
the construction world and wefound it.
We stopped them the moment theygot on because they issued a
SQL command to elevate theirprivileges to start a shell.
You go wait a minute.
Why did someone try to make ashell off SQL?
That seems odd.
So we have detection tools thatgo yeah, that's abnormal.
Also, we learned that thecompany when we contacted them,

(38:32):
and my friends Huntress have agreat write-up on this because
they're the tool that caught it.
They also dove deep into this.
They're like hey guys, andthey've been working with this
company, you have a flaw.
And they're like, yeah, maybewe'll fix it.
And the company still hasn'tfixed it.
There's not good medicationsfor it, there's still a
commercial company.
The name of the company eludesme now, where I'd say I'm,
because I don't mind callingthem out, because Huntress

(38:53):
already called them out and saidhey guys, your SQL port that
you tell people to open is partof your instructions.
Perhaps you shouldn't do that.

Speaker 1 (39:02):
And there's software that tracks all that stuff.
I forget what it's called.
One of you will tell me, but itlooks for like weird behavior,
like, oh, the SQL thing did athing it shouldn't have.

Speaker 2 (39:10):
Yeah, is that?

Speaker 1 (39:11):
like IPS IDS, or is that something?

Speaker 2 (39:13):
EDR NDR.

Speaker 3 (39:15):
Yeah, yeah, yeah yeah .
Edr, ndr, xdr, xdr is thecombination of we enrich network
logs along with our endpointdetection response.

Speaker 1 (39:30):
Then you've got your sims, we could go down.
Yeah, you want to go down theside looking for behavior and
like strange things like why?

Speaker 3 (39:33):
is this thing doing a weird thing that it's doing
right yeah, it's moved to thatbecause in the early days we had
signatures, because we hadpredictable, like the I love you
virus and all those wonderfulthings that were in the early
days as things have progressed.
And live off the land is apopular term.
What it means is powershellexists on servers.
I don't have to bring my ownbinaries that might be

(39:55):
suspicious, for hey, why are youputting that on this computer?
I can do a lot with powershelland if I can get access to
powershell through sql and I canspawn a powershell that has
full admin privileges or systemlevel privileges, I can do a lot
of things.
So living off the land evadesany type of detection of I'm
looking for this applicationbeing run on there.

(40:17):
Behavior analysis is reallywhere all these companies have
had to move to, because you justgo why did your SQL spawn a
shell?
It doesn't do that normally, sothat kicks off an investigation
by your EDR vendor to go.
That's very suspicious.
And they go whoa.
That seems really suspiciousbecause it came from an IP
address that we have in our listof bad IP addresses that have

(40:38):
done this before, and then theywill put a stop to that noise.

Speaker 1 (40:42):
And you mentioned being an open source advocate
earlier.
Are there open source tools forthis kind of like cyber stuff?
Or do you have to pay somebodya bajillion dollars?

Speaker 3 (40:49):
Oh yeah the good news is I have two good videos and I
said I didn't have a lot ofcybersecurity videos, but I
actually have two of them.
I got one just title opensource threat hunting and I
cover three different tools,which is going to be Greylog,
Wazoo and Security Onion.
I also did a standalone deepdive on Security Onion.
It is a sock in a box, if youwill.
It is a sock in a box, if youwill.
It is an entire threat huntingplatform, fully open source.

(41:11):
The team at Security Onion isamazing big open source
advocates.
I'm big fans of what they'vebeen doing.
They've been around for a year,10, 15 years doing this, maybe
longer and you can download it,you can set it up on your system
and you can begin your careerin your home lab, 100%
self-hosted, 100% free, and itis used by commercial companies.
It has an entire SOC analysis.

(41:32):
They're starting to build insome AI tooling that will
basically look at the threat andgo I don't know a lot of
hexadecimal going across thescreen.
What is this?
And it'll help do somedetermination for you to lead
you along the way.
I haven't played with any of thenew AI stuff that the team have
put into it.
They just haven't played withany of the new AI stuff that the
team have put into it.
They just haven't gotten backto it as we don't use it
commercially.
We have some commercial toolswe use for that, but it's one of

(41:54):
those things.
I look for tools like that tosay hey, you student who may be
watching this video, who saysI'd like a career in
cybersecurity, what do you guysactually do?
Because it's a broad topic andI'm like start learning.
And, by the way, you areprobably time rich and cash poor
right now.
So download this free, opensource tool.
Grab an old box.
It doesn't require a ton ofhardware.
Grab a used computer that youhave laying around.

(42:16):
Turn your old gaming systeminto the security union box, Tap
your network with a port spanand start collecting some logs,
and then go panic because you'relike my computer's going where
Install Kali Linux?

Speaker 2 (42:28):
You could man.
There's all sorts of stuff youcould do so fascinating.

Speaker 1 (42:32):
I think if I was 20 years younger and I could do it
over again, I'd probably getinto the cyber hacking.
I see my friends at DEF CON andstuff.
It just looks like so much fun.
It's this cat and mouse gameand it's a puzzle.
It really looks like a lot offun trying to get into things
and secure things, and even Ijust looked at the different
reports.
They're fascinating.

Speaker 3 (42:53):
Yeah, I see you stare and I'm like okay, he's opened
up the different report.

Speaker 1 (42:56):
It's fantastic.
I mean, I could spend foreverin here.
It's just amazing what you canlearn.
Here's what happened and here'swhat they did and here's how
you protect yourself.
But it's an endless cat andmouse game, right?
Oh yeah.

Speaker 2 (43:07):
You know where your biggest vulnerability, though,
is in your organization.

Speaker 1 (43:11):
What's that?

Speaker 2 (43:11):
The people, the people it accounts for the vast
majority of cybersecurityattacks is something from the
inside, where somebody eitherleft a port open because they
went and they changed somethingup in AWS, or they opened up an
email they shouldn't have.

Speaker 1 (43:26):
Your people are where a lot of your cyber phishing
email a couple weeks ago and Iconsider myself pretty darn good
at not doing that stuff.
I yell at my dad like dad,don't click any links in any
emails and and son of a gun theygot me at work.
They have, I guess, things thatthey try to see.
If you know you did the thingand they're like, oh, this is a
phishing thing, you shouldn'thave done that.
I'm like, oh god, yeah, likethey're really good.

(43:48):
Some of them are like I forgetwhat it was, but it I clicked
the thing I shouldn't have.

Speaker 3 (43:52):
I'm, I'm, I'm embarrassed yeah, you know, um,
I don't always self-title myselfa hacker because I've always
considered myself blue team mymy job has always been on the
side of protection.
But I love hacking conferences.
I have friends that work in it,and one of the reasons why is I
think to be a better blueteamer is I have to understand
how people are breaking things,so I've always hung out with all

(44:15):
those people.
I love going to events.
Next week I'll be at Hackers onPlanet Earth in New York.
Those events are so cool.
I'm going to be at GURCON aswell this year.
I love the smaller events.
There's maybe only like 800people going to be at these.
I don't know.
There's probably about 400people at Hackers on Planet
Earth.
I'm not sure.
The reason you're not sure isthey're not like your normal
events, because you think aboutsocial media and post it and you

(44:37):
go hell.
There's not a lot of picturesof DEF CON, despite 27,000
people being there.
I'm like, yeah, if you go tothe smaller events, if you would
like to leave those events veryforcibly, go ahead and start
filming buddy.
They're generally not a thingthey do.
We made jokes at Wild WestHacking Fest.
We was there last year withsome friends that did a talk,

(44:58):
but we always like to do theseselfies up on stage.
My friends were talking.
They're like hey, going to do aselfie.
I know it's not welcome here,so everyone that cares about
their identity duck and all theheads went down like this and we
took a selfie with people'sheads down.
It's funny.

Speaker 1 (45:12):
So I know this is like probably a silly question
to ask, but why?
So I've made certain decisionsright, like I do not post
pictures of my children anywherepublic for reasons.
Yeah, my wife might have adifferent thing right, but, like
, for me, I'm like, okay, well,I'm known in certain circles, in
smaller circles, and I justdon't think for a lot of

(45:34):
different reasons.
Even the AI stuff you see, andwhat they can do with pictures,
oh yeah, I'm like you know what?
So I got to lock behind stuff.
But what's the vulnerability?
Why can't you take a picture ofyourself at a security
conference?
Like what's that going to do?
If I see a picture of tombehind jeff at like defcon, like
how am I going to use that for?

Speaker 3 (45:52):
nefarious purposes.
It's just a lot of peoplethey're.
They're much more privacyoriented and jack reciter dark
net diaries, pretty famous.
Um, I've had friends that havemet him and it's funny because
they took pictures of eachother's shoes.
It's the stupidest picture Igot, like I metcyder.
He sent me a picture of theirshoes together.
He's like I can show you hisshoes.
He told me I'm allowed to.

Speaker 1 (46:11):
Is that a hacker culture thing?
Like, don't put my pictureanywhere.

Speaker 2 (46:14):
Yeah, yeah, kind of a culture thing.

Speaker 1 (46:16):
What am I going to do with your picture Like?

Speaker 2 (46:18):
now I know what you look like.

Speaker 1 (46:20):
What does that mean, jack Recy?

Speaker 3 (46:25):
Yeah, there's a lot of people who are very anonymous
.
I'm friends with a lot ofpeople at Huntress and they
don't have LinkedIn.
Some of the people that workthere that are currently
presenting at DEF CON they don'thave LinkedIn.
They don't talk about wherethey work.
They lead a life where they doit.
I don't know, it's a nature.

Speaker 1 (46:44):
Is that to reduce their attack surface?
Is it a strategic thing?

Speaker 2 (46:48):
Some of it is that to reduce their like attack
surface, like is it a strategicthing?
Some of it is that I haveanother theory on that, which is
some of the people I've metthat are more on the red team
side of things.
They're curious by nature,which means sometimes they poke
around and whether they're,whether they're doing anything
that ends up, you know, stealing, they often will poke around.
There's just, there's just adesire for anonymity by people

(47:09):
who like to to tinker.
It's sometimes a walk, a fineline between what you should be
doing, you shouldn't be doingyes, gray hat would definitely
describe any of them.

Speaker 3 (47:19):
Uh, they are.
They are not public about whatthey're doing all the time and
it they're doing it for theright reasons, but it's uh.
Yeah, I remember there's acouple people when, when there
was several leaks we found out,several prominent people in the
security industry go we didn'tknow, you worked at the NSA.
And he goes what does this say?
We're not talking about where Iworked, there's just a gap in

(47:39):
my resume we don't talk about.
And some of those it's reallyinteresting.
You meet some of them.
He goes by.
I'm not going to say his name.
I shouldn't say because I thinkhe's buried it again.

Speaker 1 (47:48):
I don't need anybody knocking on my door tomorrow.
Man, this podcast is registeredto my address.
Let's not say his name.

Speaker 2 (47:55):
Side story on that Side story on that.
I have a friend of mine thatworks in the NSA building and I
was having a beer with him oneday and I jokingly said to
somebody else yeah, he's mybuddy, he's a spy, works at the
and he goes, jeff, because I kidyou not, I have to report this,
that this was said because itis actually.

(48:16):
I have to, because it's noteven a big deal, because no one
cares.
That guy's drunk, he's notgoing to remember it, but I
actually have to go in and sayhey, by the way, this came out.

Speaker 3 (48:26):
Right, yeah, there you go, jeff.
There's rules, there's a levelof anonymity.
There's rules.
Uh, they, they.
There's a level of anonymity.
Uh, jack reseller's talkedabout it a couple times on his
podcast that he really enjoysthe fact that when he shows up
at ifcon he puts a mask on and ahat and he everyone knows who
he is by his disguise.
But when his disguise is off hejust blends in with the crowd
and he says there's somethingfreeing about that where

(48:47):
everyone wants to talk to himbecause he's jack reseller of
dark knight diaries, which isawesome.
But the other side of it isfame has a price and being able
to be anonymous by taking thehat off, taking the mask off,
and no one actually knows whathe looks like.
So I think he represents a lotof people in that industry.
I made a conscious choice todecide what I do or do not share

(49:08):
about myself being a publicfigure.
It's really hard because I doso much public speaking.
A lockpicking lawyer.
If you look up lockpickinglawyer, his DEF CON talk which
is strange because he says nopictures, of course, and they go
through his slides but thefirst three or four, maybe five
slides are all the stalkers.
He has People sending himtrackers, air tags, you name it

(49:29):
People trying to follow him tothe PO boxes that they ship
things to to watch who goes inand out and like he has a lot of
people.
He's actually leveled it upbecause of so many people trying
to stalk him.
It's just weird.
But because he's chose to beanonymous, there's more people
that want to know him and soit's become a cat and mouse game
.
Yeah, uh, he's had numerouspeople hire private eyes and it

(49:50):
turns out because he's a lawyer,he knows the the private eyes
are and he thinks it's fun whenthey people reach out to his
friends like hey, someone hiredme to track you.
Do you take their money atleast?

Speaker 1 (49:57):
oh, yeah so is that like red teamers just trying to
find out who he is just for likestreet cred, or like just yeah,
I think that's what it.
Is it just it?

Speaker 3 (50:05):
becomes a cat and mouse game.
I've I've had some weirdness.
I mean, we built a new house acouple years ago and I was not
thinking I did not set up aspecial trust for it and I
should have, and I know some ofthese things because I got some
very deeply private friends.
But ah, then someone messagedme like your new house drove by.
I was like, yeah, thanks.

Speaker 1 (50:24):
Random person on discord yeah, there's so many
levels of it.
I guess, like your name is on adeed and like you know, like I
don't really think it througheven myself, like I try to be, I
try to keep my kids anonymousonline.

Speaker 2 (50:35):
But yeah, I mean some of these.
It's a challenge, it's achallenging thing wanted yeah
not only that, you really wantto go down a rabbit hole.
Look up jose monkey.
This guy is someone who he'llyou could go in and ask him to
find your location based off avideo.
Yes, he's amazing atgeoguessing is wild Geo-guessing
yeah.

Speaker 3 (50:55):
It's its own remedy.
Yeah, you can grab some littlepiece of information and they
will geo-guess it.
When I've done CTFs, kind ofbringing it back to the hacking
conference, the CTFs usuallyinvolve multifaceted things,
finding security flaws in thingsthat are set up.
At the CTF It'll be at ahacking event, but there's
geoguessing and lockpicking andall those things I can do the

(51:15):
lockpicking I do some of thegeoguessing.
I'm terrible at some of theother hacking stuff.
But our team won two of thelast conferences that we
participated in.
We dominated, which was awesome.
We have some really smartpeople.
My business partner, jason, isjust a brilliant reverse
engineer and watching him, andanother guy we have named damon.
They just hack stuff.

(51:37):
Man, I love watching them go.
They're just like leaderboardtop notch.
They're like grabbing the flags.

Speaker 1 (51:43):
I'm just like yes because we're getting close to
the hour here.
I'm going to try to get ustoward a, toward an ending here,
because you're you know, you'reone of those guests I could
talk to forever.
I'm like whoa tom, there's somuch cool stuff and so, uh, this
is, this is um, this is so muchfun for me.
I don't want to let you go, butI know I should.
So, yeah, um to.
To circle back to the contentcreation, we'll try to wrap up

(52:04):
there.
What was the first video thattook off for you and did you
expect it?
Like, did you have one thatjust blew up and you're like
whoa, that was kind of notsurprised not particularly, but
generally speaking it's afirewall videos.

Speaker 3 (52:15):
I just didn't realize the interest there was going to
be on youtube for the firewallvideos.
That really kind of surprisedme.
So that is the views that tookoff the any of them I've done.
On cabling, um generally havedone well one.
You know, if you really areteaching people cabling, that's
done well.
That was also a surprising one.
Uh, there's, we're recordingthat at like eight o'clock in
the evening.
Uh, me and cory are, and that'sdone well, that was also a
surprising one.
We're recording that.
At like 8 o'clock in theevening, me and Corey are, and

(52:36):
that's why there's a beer in itthat we pull out of the wall.
If you've seen the video at theend where we pull a beer out of
the wall as part of a joke, wewere just hanging out and I'm
like, oh, let's just record this.
I have this idea.
The little amount of effort thatwas in that video was just so
low effort Me and Corey hangingout after we had gotten finished
pulling wire somewhere anddecided to.
When we built the little wallfor it, we actually built the

(52:57):
wall with the intention of doingit, because we built the little
half wall.
So there was some intention,but it wasn't like well scripted
, it was like I don't know,let's just do this and see how
it works, let's record this, andso those ones are kind of
surprising to To me.
They got the views it did, butoverall it's just a brute force
of putting a lot of content outthere, and most of my content is
related to what I'm doing beinga practitioner, whether it's

(53:18):
virtualization, networking orthose things.
There are things I'm managingthese projects, doing these or
design and do an engineering forthem, so they kind of flow easy
where I'm just talking about alot of what I'm doing, you're
doing it anyway, right, butyou're just sharing and teaching
.

Speaker 1 (53:32):
I love what you said earlier.
I was going to finish with itbut people remember people who
help them.
You're really just showingpeople what you're doing and
teaching and then helping people, which then just draws them to
you, I think.

Speaker 3 (53:43):
Yeah, there's an enthusiasm for I figured this
out and a second enthusiasm Ican share what I figured out
with others hacker ethos as well.
Matter of fact, if you look atthe history of hacking people,
this is how they always seem toget in trouble.
They can't stop talking aboutthe thing they hacked, the
history of how hackers gotcaught.
They tell everybody it's likerobbing a bank and then telling
people.

(54:03):
Yeah, you know it's gottenbetter now that we put structure
on it.
We do bug bounty programs andthings like their name in lights
for it going.
Hey, we found these bugs, wewere paid for them, they could
do write-ups.
They're up on stage legallydoing it, um.
But kind of back to the contentcreation side.
There's just an enthusiasm ofbeing able to help people.
I've got to meet all kinds ofcool people.
Now I'm sitting on a podcastthat I've listened to with some

(54:23):
cool people like it.
It takes you, uh, places andthat just makes it kind of fun
to me.
That it's like an added bonusthat helping people also turned
out to.
You know, I got to.
I have a video where I filmed adata center and a lot of people
have messaged me how'd you getthe camera in the data center?
And I'm like, well, the guydoing the tour is normally the
guy who tells people you can'tfilm in a day center because he
manages all the data centers,but turns out he likes my

(54:45):
youtube, so he gave the tourbecause he knows what can or
cannot be said.
What he would do is he wouldactually tilt me aside a little
bit because you can't showwhat's on these dials here, like
it's just voltage, he goes.
It's tuned to a very specificfrequency.
It is tuned perfectly.
He goes.
The trade secret is how I'vegot that tuned or how my team
tunes it.
So move over this way.

(55:06):
It was kind of fun, uh, thebehind the scenes of it, of what
got cropped out essentially,but uh, he, he's the one that
makes the decision.
So he gave the tour.
It's a really cool tour aboutthe power systems and the liquid
cooling and how many gallonsthey have on site.
Lots of details you wouldn'tthink they could share.
But it was fun to be there andhang out, not just like usually

(55:27):
a data center.
If you go there, it's loud, yougo to the rack that you're
allowed to go to.
You cannot just wander aroundand you certainly can't point
and ask what's that and we'lland it's going to go.
None of your business.
That's what that is.

Speaker 1 (55:37):
Go that way how do you handle negative comments on
videos or on socials um?

Speaker 3 (55:43):
you gotta hug your haters, uh, but never more than
once.
So I will reply sometimes, once, but at some point you are
rolling in the mud with the pigand the pig loves it.

Speaker 1 (55:53):
So you got to troll, so you'll say that again You'll
hug the haters, but not thehaters, but never more than once
.

Speaker 3 (56:02):
Yeah, I will comment on them.
Occasionally.
I will engage in a little bitof a debate with someone if
they're really wrong, and Ithink there's a value in it and
the value is it's a mindset.
The value and I do this a lotmore on LinkedIn the value is
not arguing with the person, itis creating an audience and I
know the audience may not thinkabout this issue, so the person

(56:22):
throws an opinion this way on it.
They're wrong about it, they'renot very in depth on it.
So I'll have a more careful,good thought out response and
it's for the people watching andI actually always make sure to
say that I'm going to reply toyou.
I'm not here to change yourmind, but I know there's other
people watching.
That is the first line I giveand then I give an explanation
of why they're wrong and itinfuriates them, which also

(56:46):
makes me happy.

Speaker 1 (56:47):
Well, you're going to do something good with it.
I mean, you're going to use itas a teaching moment, right
which?

Speaker 3 (56:51):
yeah, they didn't want.
They wanted to make you mad andget your attention, and yeah I
have made a lot of people madabout my passkey video lately,
so that's been a fun oneexplaining to people how
passkeys can bypass 2fa.
And people like but tom thespec says I know.
I said, oh, I know, you can useit properly.
I'm talking about companies,not small ones.
We'll use github, an example,who lets passkeys bypass 2FA

(57:14):
without forcing you to certainstandards.
That is to me a problem and alot of people are not aware of
that problem.
So I made a video about it andit turns out it made a lot of
people mad.
I got a lot of messages on thatone.
I don't know why they're so mad.
They're just telling me well,if I have two-f factor on my
password manager, thereforethat's the, that's mitigating.
I'm like no, at some point yourpassword manager has to be

(57:35):
decrypted and then the passkeyis a single point of login
because it can be exported outof your password manager.
That's all I really said inthat video.
It's really simple and I gaveexamples.
But yeah, that uh turns outgets you some haters yeah, see,
this is the.

Speaker 1 (57:48):
This is the problem with talking to you, because now
I had one more question I'mgoing to finish it, but now you
got me thinking like, so wait,are you telling me my master?
I forget what they call it, butI don't want to say the name
because of the these listenersthat are now hackers.
But let's say I use a passwordmanager, not named password
manager, and let's say I have,you know, uh, one thing I type

(58:09):
in to get to all the otherthings.
It's encrypted.
Yep, did what you just say.
That's not secure and thatsomebody can get that and I'm
exposed.

Speaker 3 (58:17):
The risk model is for logging into the password
manager.
We have something we know ourpassword and something we have.
It's a TOTP, it's a hardwarekey, it's a UB key, whatever you
might be using.
So we've got two factors ofauthentication on the password
manager.
You've got two factors ofauthentication on the password
manager.
Inside that password manager wehave usernames and passwords.
What we shouldn't have is thatother factor, because I log into

(58:38):
Google, I log into GitHub, it'sgoing to say username, password
.
My password manager goes hey,username, password, I got that,
let me fill that in.
Then it says what's your TOTP?
Give me that rolling off numberor touch your YubiKey to finish
your login.
And that is all great.
And what they're talking abouthere is that second factor is
the compensating control.
Inside of the password managerlies all these credentials.

(59:00):
So let's walk through a riskscenario where someone has
figured out a way to extract allthat data out of your password
manager and they can get myusername and password.
That would be tragic.
But the tragedy stops when theyhit GitHub and go ah, I got his
username, I got his password.
I don't have a second factorpass keys.
On the other hand, pass keysallow for single login.
They're cryptographicallysecure, they're phishing

(59:21):
resistant those things are allwonderful security features of
them.
But once you store them in apassword manager, github is easy
example we'll use here againwhere that password manager now
stores a passkey and you can goexport my passkey out of my
password manager.
So we've gotten into passwordmanagers Somehow.
We don't know any way to getinto them.
They're great fortresses buthey, anything, every fortress

(59:42):
has a crack.
We get that data out of thereand then you can log into my
GitHub or anywhere else thataccepts a passkey without asking
for a second factor.
That's a problem to me of theway the implementation is.
There is within theimplementation, within the FIDO2
standard, a rule that can beset at the level of the website
that says don't do this youforce people to use Whenever you

(01:00:04):
want to register FIDO2, there'sa list of devices and you can
say I'll only accept thesedevices that you know.
Hold on the pass key or aYubiKey in my hand.
It says no, only devices thatrequire you to touch them,
because that is a really solidway.
You have to be sitting at yourdesk, so even if you're on my
computer, I have to touch theblinky light on my YubiKey here
for you to do this.

(01:00:25):
But the implementation used bythe password managers allow
falsifying attestation and thisis kind of a security bypass.
So attestation means touch theblinky light and a little piece
of metal on here to let you knowI was there.
Password managers can do thaton your behalf.
Now, the way the passwordmanager I use does it is.
It does prompt me and I have toclick on it.
But if someone was physicallyon my computer having remote

(01:00:46):
access, they got to click on ittoo, and so it's not much of a
competency control.
So right now my passwordmanager is logged in unlocked.
If someone took control of mycomputer when I wasn't looking
I'm wandering around my studiothey would just be able to log
in.
But if it's critical, I say usea hardware key, use a totp
number that's rolling on yourphone.
So now there's an extra step.

(01:01:08):
So just sitting at the computerthey wouldn't be able to
extract it.
That's all it.
It really is what people seemto be angry about.
But, tom, you're dumping onpasskeys, and they do to improve
security.
I said the first sentence ofthat video is passkeys have done
a lot to improve security.
They're great.
This is not telling you not touse them.
But for those of us that aresecurity minded, for those of us
that have 375,000 YouTubesubscribers and be really

(01:01:30):
worried if someone were to oh Idon't know take over my channel
and shill some type of cryptolooking at you linus tactics,
who did not have propermitigations for that and he was
very transparent about it, so Ican say his name.
You know someone took over hischannel with several million
subscribers and used it forscams.
Uh, you should have, if you knowyou are very hot target,
actively targeted, because youhave called yourself a cyber

(01:01:53):
security guy on youtube andpeople go.
I'm going to prove that guywrong because that's how humans
work and so you want to makesure you've done everything you
can within your power, withinreason, to have all compensating
controls to have people notattack you.
That's all.
That's my point of the video.
People took it out of context,but I I hopefully speak to a lot
of people and other people Imet that work places, that they

(01:02:14):
work at high securityenvironments.
They work at some facilitywhere they know, even if they're
not a public figure, there arepeople going.
I'd love to get the secretsthat person has, because they
have a job that has thosesecrets.

Speaker 1 (01:02:26):
Once again I'm learning something I didn't know
.
My password manager has beenrecommending passkeys.
I assume that they know morethan I do, because they do, and
I figure, oh, I get like I don'teven know what a passkey is.
I couldn't explain it tosomeone, but I've been.
There's a whole video on sites,well right, but but to hear
that it's it's not.

Speaker 2 (01:02:45):
The passkeys are bad, well, it's circumventing 2fa
right, it's circumventingtwo-factor authentication.

Speaker 1 (01:02:52):
Where it doesn't, yeah, which which I didn't
realize.
So, again, this is importantand it's great, and I'm glad
you're teaching me this, andmaybe I shouldn't be using
passkeys because they circumvent2FA.
I don't know.
I got to look.

Speaker 3 (01:03:03):
The term used is risk tolerance.
So I have lots of places I usepasskeys.
I am completely risk tolerant.
If I use a passkey at my pizzaplace because they had one and I
could order pizzas and if youbroke into my pizza place I'd be
annoyed, you could probablyorder pizzas or see my order
history, I don't know, I'm notworried about it.
I like the convenience theyoffer in certain places where
the risk tolerance is high.

(01:03:24):
If you got into those randomforums that I use, like you know
, I like motorcycles, so I'vegot a couple of motorcycle
forums.
If they have a passkey login,I'm doing it because I'm lazy.
I don't feel like pulling aTOTP up over each of these and
if you broke in there, oh no,you'd see my public posts or
some DM.
I had talking about my Honda.
So not a big deal.
So there's lots of low-risksites that not, but things that

(01:03:44):
are critical.
If you're a developer, github isobviously a critical piece of
your workflow.
You better have that reallylocked down.
We know developers under attack.
We know supply chain attacks,especially against open source
developers, are quite high.
Google's finally put some goodmitigations in for people who
are developing extensions ordoing private key signing for
each one of their posts or eachone of their updates.

(01:04:05):
Google has very clearinstructions.
You don't keep this in yourGoogle account.
So we're getting better at it.
But still, if you lost yourGoogle account or lost those
developer accounts, those arecritical, especially if you're.
You know.
I work with a lot of opensource developers.
If an open source project ispopular, there is someone
gunning for it and trying to getsomething inserted into it
because it's got a big user baseand it presents an opportunity

(01:04:25):
for those who wish to domischief.
It's a great place to bemischievous.

Speaker 1 (01:04:31):
Tom Lawrence, this has been an education.
It's a great place to bemischievous.
Tom Lawrence, this has been aneducation.
It's been entertaining, it'sbeen awesome.
I have so many more things thatI would like to ask you, but
we're well past the hour.
It's a good episode when we goover.
So thank you so much for comingon.
Where can people find you ifthey're living under a rock and
they don't know about TomLawrence?

Speaker 3 (01:04:46):
Easiest way everything and all my socials,
whatever they may be at the timeyou go there, or at
launchsystemscom, I just linkeverything there, even my gaming
profiles there.
Someone says are you on Steam?
I'm like, I'm there too, so Ilinked it there.
If you want to play games withme which I don't play games too
often, but I've made all theopportunities there for whatever
socials I try to be on all ofthem that are within reason, so

(01:05:07):
I'll try to meet platform you'reon.

Speaker 1 (01:05:11):
Awesome, tom.
Thank you so much, jeff, alwaysgood to see you For all things.
Art of NetEng, you can checkout our Linktree at linktreecom.
We have a Discord server.
We have some merch.
What else is on there, jeff?
I don't know.

Speaker 2 (01:05:22):
Not pictures of us.
We're still working on that.

Speaker 1 (01:05:25):
Jeff's fixing the pictures.
But yeah, for all things.
Art of NetEng, check out ourLink tree.
Um, I like to call out thediscord server.
It's all about the journeywhere you can go when we have
study groups for just abouteverything.
I don't know if we have a cyberin there, and if we don't,
somebody should spin one up, butum, yeah, as always thanks so
much.
Huh, so I think, is there acyber?
Yeah, if there isn't, we'regoing over to tom's.

(01:05:46):
Tom's, don't you have?
Don't you have, like, your ownforum of like?
I have four?

Speaker 3 (01:05:49):
I do run forums uh, yeah, I don forum
Forumslaurencesystemscom.
I get a lot of visitors here,about 80,000 a week right now I
think.
Last I looked it's insane.

Speaker 1 (01:06:01):
When I found you and then hit you up on LinkedIn and
we started talking, I somehowsigned up for your forum and I'm
like I couldn't believe howdeep and dense and how much
interaction was there.
It's an amazing, amazing place.

Speaker 3 (01:06:11):
I've been building them for a number of years.
Kind of back to what we saidearlier.
I own that platform, I host itmyself, I manage it myself.
I've always done it for free,turns out running a platform is
not too expensive.
So yeah, and that way I cancontrol it.
I don't like building on otherpeople's platforms that is
essentially self-hosted, but ona public-facing server.

(01:06:35):
So, and they can find thatthrough tomlawrencecom.
Oh yeah, same easy, they'refree to sign up.
They're free to view.
If you don't want to sign up,feel free to view it anonymously
.
Most people do because they'rejust looking for a solution.
When I do write-ups for myvideos, I often link them to my
forums.
That way you can, just becausewho wants to type all those
commands that they see me typeon youtube?
Copy paste, man, make it easy.
Um, you'll also find all mynews files.
I.
I'm back to being transparent.
Anything I do, if I have aDocker config I use, or I have

(01:06:56):
an OPML list for all the people.
Where do you read the news, tom?
Here's my OPML file.
You can actually download itand stick it in your RSS reader
and I keep it up to date.
All that stuff is just thrownall over my forums.
I just try to give it all away.
That's always been my attitude.
No reason, just want to to helpthe community, and by doing
that I've learned a lot.
People usually give mesuggestions on some of that
stuff too, like, hey, did youknow about this?

(01:07:17):
I'm like add it to the list.

Speaker 1 (01:07:18):
Yeah, words of wisdom from Tom Lawrence people
remember people who help them.
I love it, tom.
Thanks so much for coming on.
It's great to our podcast andyour favorite podcatcher.
You can find us on socials atArt of NetEng, and you can visit

(01:07:39):
linktree forward slash Art ofNetEng for links to all of our
content, including the A1 merchstore and our virtual community
on Discord called it's All Aboutthe Journey.
You can see our pretty faces onour YouTube channel named the
Art of Network Engineering.
That's youtubecom.
Forward slash Art of NetEng.
Thanks for listening.

All Episodes

Episode Transcript

Popular Podcasts

Crime Junkie

Stuff You Should Know

New Heights with Jason & Travis Kelce

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Tom Lawrence: Building a Tech Empire by Leading with Value

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Crime Junkie

Stuff You Should Know

New Heights with Jason & Travis Kelce

All Episodes

Tom Lawrence: Building a Tech Empire by Leading with Value

Crime Junkie